Create a Random-Key-Encrypted RAMdisk that Won't Be Swapped Out to Disk

If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

Create a Random-Key-Encrypted RAMdisk that Won't Be Swapped Out to Disk

Sorry if this is in the wrong section, I tried to put it in How-To's and it wouldn't let me post there. So I put it here instead.

If you download a lot, there's certain times you don't want to save anything to a disk, but you still need to have a place to save it. Maybe you use full disk encryption and the overhead of saving to an encrypted container on a hard drive really slows things down. Maybe you live in an oppressive regime and need to be able to instantly zap a huge amount of data if stormtroopers kick your door in looking for your list of fellow revolutionaries. Well, Linux has some cool built-in tools for using free RAM as a virtual disk and making encrypted containers, so we're going to combine them to make an encrypted disk that stays in RAM, is never swapped to a hard drive and can be zapped in a few seconds.

1. Create a mountpoint for the RAMdisk
The first thing we do is make a directory where we can mount the RAMdisk we're about to create

Code:

sudo mkdir /mnt/ramdisk

2. Now we create and mount a RAMdisk

Code:

sudo mount -t ramfs none /mnt/ramdisk -o maxsize=500000

This says to mount a filesystem of type ramfs, not a device, at /mnt/ramdisk and set its maximum size to 500MB (maxsize is measured in KB). Specifying ramfs as the filesystem type tells the system to create a virtual partition in RAM. The "-o maxsize" sets a limit on how big the partition can get. Don't forget this because ramfs dynamically resizes itself and doesn't swap out to disk. (Tmpfs type, which also uses RAM, doesn't do dynamic resizing but it can be swapped out to disk, which is bad for our goals.) Adjust maxsize to whatever you need and depending on how much RAM you have. We're going to be creating an encrypted container file of this same size in the ramfs RAMdisk and doing all our writing to that, but it's always good to have limits in case something goes wrong.

3. Then change the permissions on the folder to allow nonroot users to read, write and execute (or however you want to do permissions).

Code:

sudo chmod 777 /mnt/ramdisk

4. Create a container file in the RAMdisk

Code:

dd if=/dev/urandom of=/mnt/ramdisk/cryptainer bs=1M count=500

This creates a file called 'cryptainer' in /mnt/ramdisk that's 500MB (500 blocks of 1M each) in size (adjust count to be the same as the maxsize specification in step 2).

5. Create cryptainer in container file
First we find the first available loop device

Code:

sudo losetup -f

Now we loop mount the file /mnt/ramdisk/cryptainer at the loop device just reported. This makes the cryptainer file show up as a block device (like a hard drive), but there's still no filesystem on it yet so you can't read and write files directly to it.

Code:

sudo losetup /dev/loopX /mnt/ramdisk/cryptainer

Then we create an encrypted container device inside our loop device with cryptsetup, using AES-XTS as the algorithm, and with a 512-bit key drawn from /dev/urandom. The way this works is that the container device (cryptramdisk) shows up as a regular block device (at /dev/mapper/cryptramdisk) to the rest of the system but anything that's written to it is encrypted using the random key before being saved into the RAMdisk. When a file is read the reverse happens. Ordinarily, when you use cryptsetup you save the key somehow (whether in a file or in your head) so that you can unmount the device and remount it later and still have access to the data. But we don't care about that. We want to be able to instantly kill large amounts of data. Once this container device is closed all data saved in it is gone forever because it's encrypted with an unknown key that's impossible to crack.

Just for good measure to ensure there's plenty of entropy, we'll use badblocks to feed random data into the cryptainer. Good encryption shows up as random data anyway, but I don't trust any single tool and filling the cryptainer with encrypted random data makes doubly sure there's not even a theoretical possibility of cryptanalysis.

Code:

sudo badblocks -swt random /dev/mapper/cryptramdisk

6. Mount the cryptainer
Next we make an ext2 filesystem on our cryptainer so that we can mount it like a regular hard drive.

Code:

sudo mkfs.ext2 /dev/mapper/cryptramdisk

Create a mountpoint

Code:

sudo mkdir /mnt/cryptramdisk

Mount the random-key-encrypted RAMdisk at /mnt/cryptramdisk

Code:

sudo mount /dev/mapper/cryptramdisk /mnt/cryptramdisk

delusions
Change the permissions so that you can write to the RAMdisk without being root

Code:

sudo chmod 777 /mnt/cryptramdisk

7. Write files
If you hate the lost+found folder like me get rid of it

Code:

cd /mnt/cryptramdisk
rm -rf ./lost+found

NOW, if you want to download a file from the Interwebs and don't want it to ever be saved in cleartext form or on a disk even in encrypted form, just save it to your RAMdisk. The file will be encrypted before being stored in RAM but be accessible like it's stored on a regular hard disk or flash drive. One thing you'll notice though is that things may download MUCH faster since your OS doesn't have to wait for the slow spinning drive to catch up. It can write directly into RAM.

If you want to keep the file, you can copy it to another (preferably encrypted) device or, if keeping others from getting your data is more important than losing it, just keep it in the RAMdisk and when the RAM loses power your data disappears into that big bit bucket in the sky. Since the file is stored in RAM in encrypted form even a coldboot RAM attack won't enable access to it. (Well, unless the adversary can also find the decryption key somewhere else in RAM, but I don't know how likely that is either. Epoxy your RAM to the motherboard if you're really worried about cold-boot attacks.)

THIS IS THE LAST CHANCE TO SAVE YOUR DATA! Once you close the cryptainer the data is gone forever and ever because you don't know the 512-bit key. A 512-bit key is 1.34078079 × 10^154. Brute forcing it at a trillion trillion trillion trillion keys per second would take you 42515879946727549467275494672754946727549467275494 67275494672754946727549467275494672754946727549467 millenia! But I think that's a lot longer than the black helicopters will be after you so you'll be OK.

Code:

sudo cryptsetup remove cryptramdisk

Unmount the loop device

Code:

sudo losetup -d /dev/loopX

9. Just for good measure, overwrite the cryptainer file w/ random data and remove it
By default, shred overwrites 3 times, which is more than enough for RAM. One time would probably be more than enough.

Code:

shred -ufv /mnt/ramdisk/cryptainer

10. Unmount the ramdisk and that RAM should be available for use by the system again.

Code:

sudo umount /mnt/ramdisk

If you're really worried about the stormtroopers kicking your door down you can set up a cron job or something that will run every few minutes and ask you to press a button or enter a code to keep your RAMdisk from being zapped. Or you can script steps 8 through 10 and hook them to a keyboard shortcut or panic button. The possibilities are endless. One thing for sure is that with this method you don't have to worry about having to wait a long time to permanently destroy the data. Securely wiping a few GB of RAM will only take a few seconds, and as far as I know there's no way even in the most paranoid delusions to recover what was stored in RAM a few write cycles ago. And this method uses all standard Linux tools, so if you don't keep a shell history there won't even be a way to recover what commands you used.

This is my first tutorial, and I'm still learning the details of some of these tools, so I'm sure there's room for improvement. Please leave feedback.